dtucker@dodgy.net.au (Darren Tucker) wrote in message news:<c2uoob$bl8$1@gate.dodgy.net.au>...
> In article <a9042b00.0403121157.76270462@posting.google.com>,
> Dan Oviatt <oviattd@mont.disa.mil> wrote:
> >> http://bugzilla.mindrot.org/show_bug.cgi?id=808> >
> >Well thats what I get for not checking Bugzilla first.......
> >
> >Forgive my HP ignorance, but the way I understand it, using the
> >"keyboard-interactive" method means you are letting PAM do the
> >authentication. Where if you leave PasswordAuthentication set to yes,
> >then you are kind of bypassing PAM. Is that why keyboard-interactive
> >is the "preferred" method for use with PAM?
>
> Yes. You can authenticate with password (ie the contents of /etc/passwd
> and/or /etc/shadow) and still have the PAM account and session modules
> run, but if you want to actually authenticate via PAM with 3.7p1 and up,
> you need to use keyboard-interactive.
>
> >The whole reason why I
> >even ask is that our security documentation stipulates that they want
> >ChallengeResponseAuthentication set to no, which shuts off
> >keyboard-interactive authentications. Well if you do that and have
> >PasswordAuthentication also set to no, then the user cant even login
> >because all the authentications have been shut off (we dont use public
> >key). Is there any valid (security) reason to say
> >ChallengeResponseAuthentication must be set to no, or are the security
> >people worrying about something that no longer applies to the current
> >versions of OpenSSH?
>
> They're probably referring to this:
> http://www.openssh.com/txt/preauth.adv>
> In general, disabling stuff you don't need is good policy, but for PAM
> you now need ChallengeResponseAuthentication enabled.

Relevant Pages

Re: keyboard-interactive only authentication... What port is your server listening on? ... Have you thought of using publiy key authentication instead? ... If you opt for PAM with authentication based on /etc/shadow that does not solve your ...ChallengeResponseAuthentication yes ...(SSH)